“Ultimately, the sponsor’s name is on the submission. The vendor’s name is not.”

Lauren Alani

An inspector arrives at a sponsor’s office to review a closed-out Phase 2 study. The sponsor’s clinical operations lead opens the meeting confidently. The systems were built and validated by the eCOA vendor. The trial was run by a Tier 1 CRO. The data management plan was authored jointly. Everything is documented somewhere.

The inspector asks one question: where is your evidence that the sponsor exercised oversight of the data flow from electronic source through to submission database?

The room goes quiet. The vendor’s validation package is in a SharePoint folder. The CRO’s monitoring reports are in another folder. The data management plan references both. But the sponsor’s own oversight evidence, the documentation that demonstrates the sponsor saw the data move, asked the right questions, and accepted the answers, is thin. There are emails. There are meeting minutes. There is no structured oversight record.

The MSA assigned the vendor to build and validate. The CRO services agreement assigned trial conduct. The data management plan assigned data management. The protocol was signed by the sponsor. And under ICH GCP E6(R3), the sponsor is responsible for the conduct of the trial regardless of which activities are delegated. That responsibility does not transfer with a contract. It cannot be assigned away.

The MSA myth

I have lost count of the number of sponsor leaders who, when pressed, will say something like: “we paid the vendor to validate the system, that’s their job, they have ISO certifications.” Or: “the CRO is a Tier 1, they handle compliance, that’s why we chose them.” Both statements are factually accurate. Neither is regulatorily sufficient.

The danger of that assumption is that ultimately, when an inspector or an auditor asks for evidence, regulators do not write to the vendor. They do not write to the CRO. They write to the sponsor. The sponsor is the holder of the IND, the CTA, or the regulatory dossier. The sponsor is the legal person under regulatory scrutiny. And the sponsor is the entity that has to demonstrate, with documentation, that the trial’s data is fit for purpose.

Contracts are mechanisms for delegating execution and allocating commercial risk. They are not mechanisms for transferring regulatory accountability. The drafting language used in master service agreements (the indemnities, the warranties, the SLAs) creates the comforting illusion that someone else is now holding the bag. Read carefully, the language almost always reserves regulatory accountability with the sponsor. Because the regulator does not recognise any other holder.

Where the assumption shows up in practice

The MSA myth has three common operational expressions. Each looks sensible in isolation. Together they produce inspection findings.

1. “The vendor’s system is validated”

Vendor validation is a real thing. It documents that the system, as built, performs to its documented requirements. What it does not do is validate the sponsor’s configuration of that system in the context of this specific trial, mapped against this specific protocol. Configuration is sponsor work. The risk-based validation strategy that frames it is sponsor work. The user acceptance testing that confirms the configured system meets the trial’s intended use is sponsor work.

Inspectors will accept that the platform is vendor-validated. They will then ask to see the sponsor’s evidence of fit-for-purpose configuration, validation oversight, and acceptance. If that evidence is “the vendor told us it was fine,” the finding is already written.

2. “The CRO is handling that”

CROs run trials. They write data management plans. They monitor sites. They produce listings, queries, and clean databases. All of this is delegated work. Per ICH GCP E6(R3) §5.2, the sponsor remains responsible for the quality and integrity of trial data even when the trial is conducted by a contract organisation. The standard is explicit: the sponsor’s quality system has to provide oversight of the delegated parties.

“The CRO is handling that” is not oversight. Oversight is a documented, sponsor-led activity. It produces sponsor-held records. It involves the sponsor asking specific questions, receiving specific answers, evaluating those answers against the protocol and regulatory requirements, and either accepting or escalating. If a sponsor cannot show inspectors that record, the CRO’s good work does not save the sponsor’s position.

3. “We trust them”

Trust is necessary. Trust is also a leadership intuition. It is not an audit-defensible position. The regulator does not ask whether the sponsor trusted the vendor; the regulator asks whether the sponsor verified what the vendor produced, in a structured way, with documentation. Trust is what makes the partnership functional. Verification is what makes the trial defensible.

What the regulators say

ICH GCP E6(R3) §5.2 states the sponsor is “responsible for ensuring oversight” of any trial-related duties and functions transferred to a service provider. EMA’s reflection paper on GCP compliance of clinical trials with computerised systems reinforces that the sponsor must implement processes for ongoing oversight of the use of computerised systems. FDA’s 21 CFR Part 11 requirements apply to the sponsor’s records, not the vendor’s. The position is consistent across major regulatory frameworks: delegation does not equal transfer.

This is not a recent shift. It has been the regulatory position for decades. What has shifted is how often inspectors are now asking specifically for the sponsor’s oversight evidence, in a form that demonstrates active engagement with the data lifecycle. The bar has been raised, and the spotlight is now consistently on the sponsor’s records, not on the vendor’s brochure.

What sponsors can do instead

The shift is from procurement-led to oversight-led thinking. Procurement asks: did we buy a validated system? Oversight asks: can I demonstrate that this system, configured for this trial, produces data we can defend at inspection? The answers are different, and they live in different documents.

A risk-based approach to oversight starts with the trial-level requirements, not the vendor’s documentation. It asks: where does data enter our trial? Through which systems? Where is it transformed? Where does it land? At each handoff, what could go wrong, and what evidence will we hold to demonstrate it did not? The answer to that last question is the sponsor’s oversight record. It is the sponsor’s, not the vendor’s, not the CRO’s.

Practically, this looks like a small set of repeating disciplines: a risk register that is sponsor-owned and sponsor-reviewed; a data flow map that the sponsor signed off on, not just received; user requirement specifications that translate the protocol’s needs into vendor-facing language; a validation oversight plan that says what the sponsor will check, when, and to what threshold; and a documented review cadence that produces records when (not if) inspectors want them.

None of this is exotic. None of it is expensive in absolute terms. It is, however, a different posture than “we’ve engaged a Tier 1 CRO and a validated vendor.” It is the posture of a sponsor that has decided to retain accountability deliberately, structurally, and documentably. It is the only posture that holds up.

The closing question

If an inspector arrived at your office tomorrow and asked for your sponsor-held evidence of oversight across the clinical data lifecycle for your most active trial, where would you start? If the first answer involves “we’ll have to ask the vendor” or “the CRO has that,” the gap is the answer. The work is to close it before someone else asks the question.

Continue reading: The Regulator-Vendor Gap, the structural context that makes this accountability question harder than it should be. For all four perspectives, see the insights archive. To bring this perspective to a stage, podcast, or panel, see the media and booking page.

Frequently asked

The post Accountability cannot be delegated. The sponsor signed the protocol. appeared first on Lauren Alani.